1

I'm using createCommand in Yii Framework and I want to know about use bindValue for the params, Ex:

Yii::app()->db->createCommand()
                            ->update('table', array(
                            'field'=>'$valuefield',
                            ), 'id_table=:id_table', array(':id_table'=>$id_table));

In this case, the value of $valuefield and $id_table are protected? Or I should create the sql query manually and pass the parameters with bindValue?

Thank you!

Ricardo Bortolotti
  • 13
  • 3
  • what do you mean for `are protected`? – ScaisEdge Jul 24 '15 at 21:51
  • 1
    If by _protected_ you mean _escaped_, then `$id_table` is escaped because you're passing it correctly. `$valuefield` will not be passed correctly, because you have it in single quotes. Do it this way: `Yii::app()->db->createCommand()->update('table', array('field'=>':valuefield'), 'id_table=:id_table', array(':id_table'=>$id_table, ':valuefield'=>$valuefield));` – Beowulfenator Jul 25 '15 at 11:25
  • I wanted mean sanitized. Thank you for your reply, i will apply it in my query. – Ricardo Bortolotti Jul 27 '15 at 12:26

1 Answers1

1

In this case, the value of $valuefield and $id_table are protected?

Yes. Method update automaticly binds array's values passed in second param. And also you manualy bind param for condition. To prevent SQL injection always use binding.

SiZE
  • 2,217
  • 1
  • 13
  • 24